Threat Level: green Handler on Duty: Basil Alawi S.Taher

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-06-30 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Packet-Filtering Malware;XMLRPC Vulnerabilities;phpBB highlight vulnerability;Fake MS Bulletins

Published: 2005-06-30
Last Updated: 2005-07-01 13:06:36 UTC
by Robert Danford (Version: 1)
0 comment(s)

Packet-Filtering Malware


We had some readers (thanks Steve) write in regarding a new malware strategy of filtering packets instead of mucking with the local hosts files

mentioned in the excellent F-Secure blog

http://www.f-secure.com/weblog/#00000585

and the full description here:

http://www.f-secure.com/v-descs/fantibag_b.shtml




So instead of redirecting Anti-Virus sites to localhost (127.0.0.1)

http://www.answers.com/topic/localhost

and essentially preventing firewall and anti-virus updates from occurring,


127.0.0.1 www.pandasoftware.com
127.0.0.1 www.symantec.com
127.0.0.1 www.mcafee.com

it blocks the actual network traffic. Much harder to detect and troubleshoot.
I guess we need healthchecking in all of our Anti-Virus now, so the end user
can alerted if updates can't be retrieved (but I'm sure most users would really love
to have another pop-up warning window...)

XMLRPC Vulnerabilities (fixed)


James Bercegay wrote in regarding several security holes he discovered
in XMLRPC libraries for PHP:


PHPXMLRPC


Version 1.1 is vulnerable to remote code execution via
a careless eval call. The hole has been fixed and a patch is available.



PEAR XML_RPC Library


Versions 1.3.0 and earlier are vulnerable to remote code
execution. The issue has been fixed and a patch is available.



These libraries are found in a number of applications such as

postnuke, drupal, TikiWiki, and b2evolution.

Advisory Info:

http://www.securityfocus.com/bid/14088

http://www.securityfocus.com/bid/14094

http://www.frsirt.com/english/advisories/2005/0911

http://www.frsirt.com/english/advisories/2005/0912



Thanks for the heads-up James and the excellent job working with the vendors and
the conscientious disclosure.

Backdoor.Win32.DSSdoor.b


Some recent reports of click-fraud malware (Backdoor.Win32.DSSdoor.b)

Excellent technical writeup:

http://www.mnin.org/write/2003_tcposmod.html

Reporting Phishing


If you have discovered phishing, here are some reporting links that may come in handy:

http://www.antiphishing.org/index.html




Reporting page:

http://www.antiphishing.org/report_phishing.html




Here is a resource for government reporting sites:

http://www.cybercrime.gov/reporting.htm


phpBB Highlight Vulnerability Re-introduced


We've had some folks writing in regarding snort signatures for the new phpBB vulnerability.

This vulnerability is an accidental re-introduction of the same bug

that existed in phpBB earlier than 2.0.11 and was (apparently) accidentally

reintroduced during work between 2.0.14 and 2.0.15. Existing snort

signatures {sourcefire sid:2229 and bleeding-snort sids:2001457, 2001557,

2001604, and 2001605} will detect the common exploits.



Also, a more generic treatment of this vulnerability is as follows:


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (sid:2005063001; rev:1; \
msg:"[ISC] possible phpBB <= 2.0.15 code injection"; \
flow:to_server,established; \
uricontent:"viewtopic.php|3f|"; nocase; \
pcre:"/[?&]highlight=(.\.|%27%2E|%2527%252E)\S+\(/iU"; \
classtype:misc-attack; )


One Final Note: This is the bug that allowed Santy.A to work.



Windows Update Alternative


Alternative to Windows Update that many sysadmins may find useful (Thanks Matt):

For Windows 2000 SP4, WinXP SP1 and SP2 or Windows 2003 systems which have updated to the newest version of IE:

http://update.microsoft.com/microsoftupdate/v6/

Fake Microsoft Security Bulletins Alert


A lot of reports have been streaming in regarding fake Microsoft Security Bulletins:
http://www.us-cert.gov/current/archive/2005/06/30/archive.html#Fake_MS
Which were recently mentioned here by Kevin Hong (http://isc.sans.org/diary.php?date=2005-06-28)
It is always best to use the standard methods of patch updates (Windows|Microsoft Update)
instead of relying on information or URLs provided in an email.
Especially at the current time where there is some confusion over the new Updater for XP (mentioned in yesterday's diary) and the Rollup patch for Windows 2000 SP4 which has been causing some issues in some environments. Just take a deep breath and double-check everything before executing code (updates, etc) as Administrator.




Robert Danford

ISC Handler of the Day
Keywords:
0 comment(s)
Diary Archives